The site, crypto.cat, has a chunky, 8-bit sensibility, with a big-eyed binary cat in the corner. The visitor has the option to name, then enter a chat. There’s some explanatory text, but little else. It’s deceptively simple for a web app that can save lives, subvert governments and frustrate marketers. But as little as two years ago such a site was considered to be likely impossible to code.

Cryptocat is an encrypted web-based chat. It’s the first chat client in the browser to allow anyone to use end-to-end encryption to communicate without the problems of SSL, the standard way browsers do crypto, or mucking about with downloading and installing other software. For Kobeissi, that means non-technical people anywhere in the world can talk without fear of online snooping from corporations, criminals or governments.

“The fact that you don’t have to install anything, the fact that it works instantly, this increases security,” he explained, sitting down with Wired at HOPE 9 to talk about Cryptocat, activism and getting through American airports.

To create Cryptocat Kobeissi had to deal with controversies in computer security, usability and geo-politics.

When he flies through the US, he’s generally had the notorious “SSSS” printed on his boarding pass, marking him for searches and interrogations — which Kobeissi says have focused on his development of the chat client.

Online privacy doesn’t have a lot of corporate or governmental fans these days, but Kobeissi has faced controversy before.

“During 2010 and 2011 I was a defender of WikiLeaks and the free press in general, and I thought ‘Collateral Murder’ (the WikiLeaks publication of a controversial helicopter assault video) was a highly significant piece of journalism,” he said.

He mirrored WikiLeaks content and organized a march in support of the organization during the period in late 2010 when WikiLeaks found itself thrown off of Amazon’s hosting service and blocked by credit card companies. “I know for certain that it’s contributed to other defenders of WikiLeaks and Bradley Manning being harassed, so it’s somewhat likely that I could also be targeted.” Still, Kobeissi points out that he’s never been questioned about WikiLeaks, only about Cryptocat.

His SSSS’s can mean hours of waiting, and Kobeissi says he has been searched, questioned, had his bags and even his passport taken away and returned later. But he’s kept his sense of humor about the experience, even joking from the airport on his Twitter account.

The young and cheerfully sarcastic Kobeissi is somewhat baffled by the border attention. Kobeissi said that in one of his last U.S. trips through Charlotte, NC, “In total I was searched either three or four times,” — in a single visit. “Why? Do bombs materialize? I don’t understand,” he continued. If the searches, delays, and interrogations about Cryptocat are an intimidation tactic, they haven’t worked.

“Dear US Government, I’m from Lebanon,” Kobeissi said, laughing. “You don’t scare me, you don’t understand. My friends were killed in 2008, my house was bombed and my neighborhood ruined. My father was killed in 2006. You don’t scare me at all. If you want to scare me, send me for torture in Syria. But you can’t anymore, because Syrians are revolting.”

A U.S. Customs and Border Protection spokesman declined to comment on Kobeissi’s detentions at the border, saying he was prohibited from doing so by privacy laws, though he maintains that it plays nicely with foreigners.

The United States has been and continues to be a welcoming nation. U.S. Customs and Border Protection not only protects U.S. citizens and lawful permanent residents in the country but also wants to ensure the safety of our international travelers who come to visit, study and conduct legitimate business in our country.

Our dual mission is to facilitate travel in the United States while we secure our borders, our people and our visitors from those that would do us harm like terrorists and terrorist weapons, criminals, and contraband. CBP officers are charged with enforcing not only immigration and customs laws, but they enforce over 400 laws for 40 other agencies and have stopped thousands of violators of U.S. law.

CBP strives to treat all travelers with respect and in a professional manner, while maintaining the focus of our mission to protect all citizens and visitors in the United States.

To get Cryptocat to the hands of Syrians resisting their government, or Canadians resisting being profiled by marketers, Kobeissi had to build a crypto tool in a place where no crypto tool has ever flourished — your browser. “You have to make it just as easily accessible as Facebook Chat or Google Talk, which is what I’m trying to do with Cryptocat,” he said.

Google, Facebook and a infinite variety of other sites are pushing more functionality into the browser to increase the power of web apps, and the browser has become, for many people, the main interface of their computer. But from a security point of view, the browser has always failed to provide for users — in no way worse than in cryptography.

Encrypting data to keep it away from prying eyes, be they hackers or nations has proved nearly impossible in the browser, which has relied on one standard to do everything: SSL, which is known to be broken. The terrible state of browser security plagued Kobeissi in his work to build Cryptocat.

“Browsers are huge, complex, multilayered beasts with lots of moving parts, and every last one of them implements at best some dialect of each of the many standards that a modern browser has to support,” said Meredith Patterson, a senior research scientist at Red Lambda. Patterson deals with security and cryptography on an architectural level in her research, and has reviewed and commented on Cryptocat.

Problems like bad browser sandboxing meant that something in one tab could affect a session in a Cryptocat window. No libraries or standards existed to handle normal encryption functions in Javascript. The biggest problem is that delivery of Javascript code from server to browser could be intercepted and modified by breaking the SSL connection without a user ever knowing they were running malicious code.

Kobeissi faced criticism from the security community for even trying, but he persevered. Now more than a year later, “Cryptocat has significantly advanced the field of browser crypto,” he said with obvious pride. “We implemented elliptic curve cryptography, (and) a cryptographically secure random number generator in the browser,” along with creating a Cryptocat Chrome app to address the code delivery problem.

“I don’t think Nadim really knew what he was in for when he started this project, but although it got off to a bumpy start, he’s risen to the occasion admirably,” said Patterson.

But Kobeissi also knows that it’s equally important that Cryptocat be usable and pretty. Kobeissi wants Cryptocat to be something you want to use, not just need to. Encrypted chat tools have existed for years — but have largely stayed in the hands of geeks, who usually aren’t the ones most likely to need strong crypto. “Security is not just good crypto. It’s very important to have good crypto, and audit it. Security is not possible without (that), but security is equally impossible without making it accessible.”

Patterson agrees with Kobeissi’s approach. “As much as it drives all of us nerds batshit, J. Random internet user spends most if not all of her time in the browser, and generally doesn’t care to install even a separate email client — much less a separate chat client,” she said. “If you don’t go where the users live, you don’t get users. End of story.”

Nevertheless, Kobeissi has said repeatedly that Cryptocat is an experiment. Structural flaws in browser security and Javascript still dog the project as it moves toward version 2, scheduled for the end of the year. Cryptocat 2 will be a full Jabber client, allowing for both current style OTR and Multi Party, or mpOTR for group chats. OTR is Off-The-Record messaging, the current gold standard in encrypted chat. (Not to be confused with Google Talk’s OTR, which is not encrypted at all.)

Screenshot of the second version of Cryptocat, a Jabber/xmpp client with full OTR support.

He isn’t eager to bet his life on his work to date. But in environments like the Arab revolts, he acknowledges that for all of Cryptocat’s flaws, it’s better than software many people in Arab countries use right now, which can put them in tremendous danger. “If the alternative is Facebook Chat or Google Talk or Skype… please use Cryptocat by all means, but it’s still an experiment.”

Thus far Cryptocat hasn’t penetrated far into the consciousness of the common user, but for some groups in need of secure communications, it’s already part of the toolkit. “High security, simple to use,” said an active participant in the internet collective Anonymous, which has faced prosecution and worse the world over. “If it’s a hurry and someone needs something quickly, Cryptocat.”

Kobeissi himself grew up in Beirut, Lebanon. Besides authoring the secure chat tool and being a security researcher, he’s a political science and philosophy major at Concordia University in Montreal, Canada. His post-college job is set — he’ll be developing Cryptocat full time, living on grant money for the project.

He emigrated to Canada after a conversation with his mother, when the-then teenager came to realize he might not live very long in Lebanon — an situation that informed his software design. He’s vocal about his love of his adopted home in Canada, as well about how the internet and games kept him going through the rough times in the wartorn country of his birth, “The happiest things in my childhood were Sega Game Gear and Sega Genesis.” It’s clear that Cryptocat’s distinctive 8-bit feel isn’t just a gimmick.

Nowadays he sees himself as coming from two cultures, North American and Middle Eastern, and it gives him a rare perspective on both the need and usefulness of getting crypto into the hands of everyone.

He believes that by building Cryptocat with more sensitivity to the pleasures of the user, he can help the people that need secure communications most. “I want it to be something that has a nice color scheme, that works in your browser, that you can open instantly, that’s easily accessible, that has a cat, that has audio notifications, that has desktop notifications,” Kobeissi said, “Because these are important security features.”

When faced with the torture of using crypto software or the torture of a repressive government, some dissidents have — intentionally or not — opted for the latter.

“I have seen someone who I know knows how to use OTR not use OTR, and get tortured as a result, in Syria… OTR is not accessible, it’s not a pleasure to use.”

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.